Mastering Netfilter & iptables: A Deep Dive into Linux Firewall Architecture

1. netfilter and iptables

Netfilter, introduced by Rusty Russell for the Linux 2.4 kernel, provides a lightweight yet flexible firewall framework that supports packet filtering, NAT, address masquerading, transparent proxying, MAC‑based filtering, stateful inspection, rate limiting, and more. iptables is a user‑space tool that manipulates the Netfilter configuration tables stored in kernel memory.

Netfilter defines five hook points where packet processing functions can be invoked:

PRE_ROUTING

INPUT

OUTPUT

FORWARD

POST_ROUTING

The configuration consists of tables, chains, and rules. The main tables are:

1.1 filter, nat, mangle, raw tables

filter table

Used for packet filtering (DROP, ACCEPT, REJECT, LOG). It contains three built‑in chains: INPUT – packets destined for the local host FORWARD – packets being routed through the host OUTPUT – packets generated locally

nat table

Handles network address translation (SNAT, DNAT, MASQUERADE, REDIRECT). It has three chains: PREROUTING – alters destination address of incoming packets OUTPUT – alters destination address of locally generated packets POSTROUTING – alters source address before packets leave the host

mangle table

Modifies packet TOS, TTL, and marks for QoS or policy routing. It includes the five standard chains: PREROUTING, POSTROUTING, INPUT, OUTPUT, FORWARD.

raw table

Introduced in kernel 2.6.9, it decides whether a packet should be tracked by the connection‑tracking subsystem. It provides two chains: OUTPUT and PREROUTING.

The netfilter connection‑tracking states are: NEW – packet starts a new connection RELATED – packet is related to an existing connection (e.g., FTP data channel) ESTABLISHED – packet belongs to an already established connection INVALID – packet does not belong to any known connection and should be dropped

1.2 INPUT, FORWARD, OUTPUT chains and their rules

From a packet’s perspective, the five default chains are applied at different processing stages: INPUT – inbound packets destined for the host OUTPUT – outbound packets generated by the host FORWARD – packets routed through the host PREROUTING – before routing decisions (e.g., DNAT) POSTROUTING – after routing decisions (e.g., SNAT)

Typical actions for firewall rules are: ACCEPT – allow the packet DROP – silently discard the packet REJECT – discard and send an optional response SNAT – source address translation DNAT – destination address translation

LOG – log packet details to /var/log/messages

Rule order matters because once a packet matches ACCEPT, DROP, or REJECT, processing stops.

2. Linux packet routing principle

After a packet is received by the NIC and stripped of its link‑layer header, it enters the TCP/IP stack and passes through Netfilter hook points. The typical flow is:

PREROUTING – opportunity to modify destination IP before routing.

If the destination is the local host, the packet proceeds to the INPUT chain.

Locally generated packets traverse the OUTPUT chain, then POSTROUTING where source IP may be altered.

Packets to be forwarded pass through FORWARD and then POSTROUTING before leaving the host.

Understanding this flow is essential when writing iptables rules.

3. iptables rule syntax

Common options include: -t <table> – specify table (filter, nat, mangle, raw). -A – append rule to the end of a chain. -I – insert rule at a specific position. -D – delete a rule. -R – replace a rule. -P – set default policy for a chain. -nL – list rules without DNS resolution.

Match extensions via -m (e.g., -m state --state ESTABLISHED,RELATED, -m tcp --dport 22). -j <target> – action such as ACCEPT, DROP, REJECT.

For detailed examples, refer to common iptables usage guides.